Regulatory Radar — March 2026: When Enforcement Precedes a Breach

If there is a single image that defines March 2026 in EU regulatory enforcement, it is this: France's Council of State confirming an €800,000 data protection fine against a healthcare software provider on February 13 — and that same provider disclosing a breach of 15.8 million patient records just fourteen days later.

The Cegedim Sante case is not an outlier. It is the regulatory landscape working exactly as designed — and still arriving too late to prevent harm.

1. Cegedim Sante — When a Fine Becomes a Prologue

On September 5, 2024, CNIL fined Cegedim Sante €800,000 for processing health data without authorisation and transmitting non-anonymised patient data to customers. CNIL inspections carried out in 2021 had identified these violations.

On February 13, 2026, France's Council of State confirmed all sanctions. Two weeks later, on February 27, France24 reported that the same company's MonLogicielMedical platform had been breached — exposing 15.8 million patient records, including 165,000 files containing HIV status, psychiatric conditions, and sexual orientation data.

What This Means for Compliance Teams

The timeline exposes a structural gap in EU enforcement: the fine addressed violations discovered in 2021, sanctioned in 2024, and confirmed in 2026. By the time the regulatory process concluded, the very data CNIL had flagged was already in the hands of attackers.

Under GDPR Article 83, controllers processing health data (Article 9 special categories) face fines of up to €20 million or 4% of global annual turnover. The €800,000 fine was modest relative to this ceiling — and the breach may trigger a second, separate enforcement action.

Key takeaway: Enforcement and security are not sequential. Organisations cannot treat regulatory compliance as a post-audit remediation exercise. The controls that CNIL required in 2024 — proper access management, data minimisation, pseudonymisation — are the same controls that would have reduced the blast radius of the 2026 breach.

2. NIS2 — Enforcement Enters Reality

The NIS2 Directive's transposition deadline passed in October 2024. In Q1 2026, the first tangible enforcement actions have begun to materialise across EU member states.

What Is Happening Now

• The Netherlands: The Dutch implementation (Cbw — Cyberbeveiligingswet) was debated in the Tweede Kamer on March 23, 2026 and is expected to enter force around July 1, 2026, pending parliamentary approval. The NCSC-NL is actively preparing supervisory engagement.
• Germany: BSI (Federal Office for Information Security) has expanded its supervisory capacity and issued guidance requiring critical infrastructure operators to demonstrate compliance with risk management obligations.
• Incident reporting: NIS2 requires entities to submit an early warning within 24 hours of a significant incident, an incident notification within 72 hours, and a final report within one month.

The Stryker Test Case

The Stryker cyberattack on March 11 — where Iran-linked actors wiped approximately 80,000 devices across 79 countries using a compromised Microsoft Intune account — is being cited by compliance analysts as a real-world NIS2 stress test. The attack exploited a single over-permissioned administrator account without phishing-resistant MFA.

NIS2 Article 21 requires "appropriate and proportionate technical, operational and organisational measures" for access control, multi-factor authentication, and privileged account management. The Stryker incident demonstrated what happens when these measures are inadequate at a company operating across EU critical infrastructure supply chains.

3. DORA — The Financial Sector Clock Is Ticking

The Digital Operational Resilience Act (DORA) entered application on January 17, 2025. Financial entities — banks, insurers, investment firms, fintechs, and their critical ICT third-party providers — are now subject to its full requirements.

Current Status

• ICT risk management frameworks (Chapter II) must be in place and documented
• Incident classification and reporting requires notification to competent authorities within 4 hours of determination that an incident is major
• Digital operational resilience testing — basic testing annually, threat-led penetration testing (TLPT) every three years for significant entities
• Third-party risk management — registers of ICT third-party arrangements must be maintained and reported to supervisory authorities

March Context

The LexisNexis breach — where a hardcoded password ("Lexis1234") reused across five database credentials enabled full infrastructure compromise — illustrates the kind of ICT third-party risk that DORA's Chapter V is designed to address. Financial institutions relying on legal research services from providers with these security practices face direct regulatory exposure.

4. Cyber Resilience Act — September 2026 Obligations Begin

The EU Cyber Resilience Act (CRA) entered into force on December 10, 2024, with a phased implementation timeline. The first substantive deadline arrives on September 11, 2026: manufacturers must begin actively reporting exploited vulnerabilities in their products to ENISA within 24 hours of becoming aware.

What This Means

Any organisation that manufactures or imports products with digital elements into the EU market must prepare for:

• Vulnerability disclosure processes that can detect and report within 24 hours
• Coordinated vulnerability disclosure (CVD) policies
• Security update mechanisms for the entire product lifecycle

The Ubiquiti UniFi CVE-2026-22557 disclosure — the third maximum-severity flaw in 12 months — is the kind of pattern that CRA reporting requirements are designed to make visible. Under CRA, manufacturers with this frequency of critical vulnerabilities will need to demonstrate that their development processes are adequate.

5. EU AI Act — Security Teams Must Prepare Before August 2026

The EU AI Act's risk-based framework is being implemented in phases. The next major milestone is August 2, 2026, when obligations for providers and deployers of high-risk AI systems begin to apply.

What Security Teams Should Be Doing Now

• Inventory AI systems — classify every AI system in use by risk category
• Data governance — ensure training and validation data meets quality requirements
• Human oversight mechanisms — high-risk systems must have human-in-the-loop safeguards
• Technical documentation — maintain records sufficient to demonstrate conformity
• Cybersecurity requirements — high-risk AI systems must be resilient against attempts to alter use or performance through exploitation of system vulnerabilities

The Langflow CVE-2026-33017 incident — where an unauthenticated RCE in an AI development platform was exploited within 20 hours — is a preview of the security challenges AI system providers face. Under the AI Act, a vulnerability this severe in a high-risk AI component could trigger conformity assessment obligations.

6. Global Watch

Brazil — LGPD

The Brazilian ANPD (Autoridade Nacional de Protecao de Dados) continues to build enforcement capacity. LGPD Article 52 penalties — up to 2% of revenue, capped at R$50 million per infraction — remain applicable. Organisations operating across both EU and Brazilian markets should note that GDPR and LGPD share overlapping but not identical requirements for international data transfers.

India — DPDP Act

India's Digital Personal Data Protection Act, 2023 is expected to see rules finalised in 2026. The Act establishes a Data Protection Board with authority to impose penalties up to INR 250 crore (~€27 million). Organisations processing Indian personal data should monitor the rule-making process for consent manager requirements and cross-border data flow provisions.

United States — SEC Cyber Disclosure

The SEC's cybersecurity disclosure rules (adopted July 2023) continue to shape how public companies report material cyber incidents. The LexisNexis breach, which exposed records of 118 US government employees including federal judges and DOJ attorneys, is the type of incident that triggers SEC materiality analysis for publicly traded entities in the legal services sector.

What to Do This Month

Regulatory Radar is a monthly series tracking enforcement actions, compliance deadlines, and regulatory developments relevant to European mid-market organisations. Subscribe to our RSS feed to receive each edition as it publishes.